DNSSEC
DNSDNSSEC is a set of DNS extensions that adds cryptographic signatures to DNS records so resolvers can verify responses were not altered in transit. It helps prevent DNS spoofing and cache poisoning by establishing a chain of trust from the root zone to a domain. DNSSEC does not encrypt traffic; it validates authenticity and integrity of DNS data.
How It Works
DNSSEC works by signing DNS zone data with public-key cryptography. A zone publishes DNSKEY records (public keys) and adds RRSIG records (signatures) over record sets such as A, AAAA, MX, and TXT. When a validating resolver receives an answer, it checks the signature using the published key, confirming the data has not been tampered with and that it came from the authoritative zone.
Trust is established through delegation. The parent zone publishes a DS record that references the child zone key, creating a chain of trust from the DNS root to the domain. Zone operators typically use a Key Signing Key (KSK) to sign the Zone Signing Key (ZSK), and the ZSK signs the zone records. DNSSEC also uses NSEC or NSEC3 records to provide authenticated denial of existence, proving that a name or record type truly does not exist without allowing easy forgery.
Why It Matters for Web Hosting
For hosting buyers, DNSSEC affects domain reliability and security at the DNS layer. If your DNS is hijacked or poisoned, visitors can be redirected to malicious servers even when your web server is secure. When comparing hosting plans and DNS management features, check whether the provider supports DNSSEC signing, DS record management at the registrar, and safe key rotation. Also consider operational fit: DNSSEC can increase DNS response size and complexity, so good tooling and monitoring matter.
Common Use Cases
- Protecting website visitors from DNS cache poisoning and forged DNS answers
- Securing MX records to reduce the risk of email redirection via DNS manipulation
- Hardening high-value domains (brands, portals, admin panels) against DNS-based attacks
- Supporting security policies that depend on DNS integrity (for example, DANE/TLSA where applicable)
- Improving trust in multi-provider setups where DNS is hosted separately from web servers
DNSSEC vs DNS over HTTPS (DoH)
DNSSEC and DoH solve different problems. DNSSEC validates that DNS data is authentic and unmodified, regardless of how it is transported. DoH encrypts DNS queries between a client and a resolver to reduce eavesdropping and tampering on the network path, but it does not prove the resolver received authentic data from the authoritative zone. In hosting decisions, DNSSEC is about protecting your domain records from forgery, while DoH is mostly a client-to-resolver privacy and transport security feature.